Etsy joins bug bounty crew

Powered by SC Magazine
 

Offers $500 minimum, a t-shirt and a high-five.

Online art and clothing store Etsy has opened a bug bounty program that would reward security researchers for reporting vulnerabilities found on the website.

The company would offer a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”. It did not state a maximum payout.

It would accept web application vulnerabilities such as Cross Site Scripting and Cross-site request forgeries, authentication issues, remote code execution, and authorisation problems within Etsy.com, the site’s application programming interface, and its mobile application.

“This means please do not test for: spam, social engineering, or denial of service vulnerabilities,” it said in a statement.

“You also must not disrupt any service or compromise anyone’s data.”

It said bug bounties were “industry best practice”.

The bug bounty program follows the company's publication of responsible disclosure policies in April that eliminated fear of legal action in response to unauthorised security tests and encouraged researchers to report vulnerabilities.

Those who previously reported flaws will be paid under the new program.

Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities.

PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities.

Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a "full Chrome exploit", which involves an attack that leverages only vulnerabilities in the Chrome browser. 

It paid $50,000 for a "partial Chrome exploit", which requires the use of bugs in third-party software.

But Microsoft considers bug bounties superfluous. Its security response centre was inundated with free vulnerability reports from researchers looking for fame, not fortune. Up to 80 percent of Microsoft vulnerabilities were privately and freely reported.

Redmond has instead chosen to pay up to $20,000 under its BlueHat competition to researchers who create defensive technologies which block a class of exploits.

Copyright © SC Magazine, Australia


Etsy joins bug bounty crew
 
 
 
Top Stories
NSW to build its own myGov
Service NSW digital profiles available by September.
 
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
 
Australia's leaders agree to end GST-free online goods
Gerry Harvey may finally get his way.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft reveals Microsoft Send, a new enterprise chat app to rival Slack
Jul 27, 2015
Microsoft Send is MSN Messenger for grownups, and you could be using it at work very soon
Developers offered $500,000 grants to find HoloLens uses
Jul 8, 2015
Can augmented-reality end up in business?
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Windows 10 drops 29 July... but only for some
Jul 6, 2015
If you've reserved your copy of Windows 10 and are keenly awaiting its 29 July release, don't ...
Xerocon is heading to Melbourne!
Jul 1, 2015
We're not saying Xero is our FAVOURITE or anything, but Xero's 2015 Xerocon conference is being ...
Latest Comments
Polls
Should law enforcement be able to buy and use exploits?



   |   View results
Yes
  13%
 
No
  51%
 
Only in special circumstances
  17%
 
Yes, but with more transparency
  19%
TOTAL VOTES: 711

Vote